- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 14 Jun 2023 14:25:21 +0200
- To: nathan <nathan@webr3.org>
- Cc: public-webid <public-webid@w3.org>
- Message-Id: <4EE1010B-1FA2-4FB4-86B8-5C314EB22A62@bblfish.net>
> On 14. Jun 2023, at 13:40, Nathan Rixham <nathan@webr3.org> wrote: > > On Tue, Jun 13, 2023 at 10:00 AM Henry Story <henry.story@bblfish.net <mailto:henry.story@bblfish.net>> wrote: >> I have been working on an Authentication mechanism working purely at >> the HTTP layer by building just very lightly on the IETFs “Signing HTTP Messages” >> Specification. > > I'd like to share a real world use-case, one of the larger websites I run has the following setup: > > a) AWS Global Accelerator > - takes incoming connections and routes them to the "nearest" data center > b) 4x EC2 Load Balancers > - one in each data center > - handles TLS termination > - each has a unique SSL certificate > - protocol versions http2 & 1.1 > c) 8x Reverse Proxies (haproxy) listening > - each load balancer above, balances over 2 reverse proxies, each reverse proxy listens on http1.1 > - each reverse proxy semi-persistently connects to a pool of reverse proxies over h2c (HTTP/2 Cleartext - 2 over 1.1 without TLS) > d) multiple haproxies listening on h2c then keep-alived through to web servers > e, f) ... irrelevant, but distant. > > I'll spare the details, but the pertinent parts are as follows: > - TLS is lost at level (b), this is true for many others, the TLS is terminated well before anything we can control and modify in any consequential manner > - There is not 1, but rather multiple SSL certificates, in our case 4, I could easily scale this up to 20+, and many larger still sites will. > - Anything application level or modifiable, is 3 steps away from TLS termination, and juggled over different connection types, with non static redundant routes. That sounds like a very nice use case for Http Signatures. > > That is, if any solution is TLS+SSL based, unless it's implemented within majors like AWS/EC2 services, or at the very least haproxy and similar, without any requirements which run down to application level, literally cannot deploy or utilize it at scale, since the vast majority of scaled services terminate TLS as early in the process as possible, to cast of that weight and allow scaling. yes, Http Signatures allows an intermediary that lies behind a TLS termination point, to add a signature to the http request and include in the message the signing of the Certificate. There is an example in the spec for that use case: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures-17#name-tls-terminating-proxies It is also possible for the server to sign a response using fields from the Request. I don’t fully have that implemented in my HttpSig library https://github.com/bblfish/httpSig But would be happy to work on when I get some financing for it. Btw that library is designed to work in Java and JS (not yet for Node), Would be interesting also to get it to work with https://scala-native.org/ Henry https://bblfish.net/ (note: my French phone number no longer works this week)
Received on Wednesday, 14 June 2023 12:25:40 UTC